Generating security material
First Claim
1. A method for establishing a secure, direct, station-to-station communication between a first station and a second station, the method comprising:
- creating pair-wise unique material for the first station,wherein the pair-wise unique material is computed as a function of (i) a known shared secret associated with a piconet basic service set control point (PCP), (ii) a first piece of unique data associated with the first station, and (iii) a second piece of unique data associated with the second station;
securely communicating the pair-wise unique material from the first station to the second station, wherein the first station and the second station independently authenticate with the PCP prior to communicating to establish a security association (SA) with the PCP, and wherein the known shared secret is a group transient key (GTK) of the PCP,wherein the first station and the second station are members of a group of stations associated with the PCP, wherein the PCP is an access point and the group of stations are peer devices that are not access points;
communicating, by the first station, directly via peer-to-peer communications with the second station using the pair-wise unique material to secure the peer-to-peer communications;
broadcasting, by the first station, a communication to the group of stations using at least the GTK from the PCP to secure the communication, wherein communicating directly and broadcasting includes communicating without messages transiting the PCP; and
in response to a race condition associated with colliding messages of a four-way handshake between the first station and the second station, selectively resolving the race condition based on a media access control (MAC) address of the first station and a MAC address of the second station or another unique identifier of the first station and the second station.
7 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and method establish a secure, direct, station-to-station communication between a first station and a second station in a topology (e.g., PBSS) having a central secret holder/provider that allows secure, direct, station-to-station communications and that allows secure station-to-station broadcast communications. The first station and the second station will have previously established a security association (SA) with a topology control point (PCP). The method includes creating pair-wise unique material for the first station. The pair-wise unique material is computed as a function of (i) a known shared secret associated with the PCP, (ii) a first piece of unique data associated with the first station, and (iii) a second piece of unique data associated with the second station. The method includes securely communicating the pair-wise unique material from the first station to the second station.
-
Citations
11 Claims
-
1. A method for establishing a secure, direct, station-to-station communication between a first station and a second station, the method comprising:
-
creating pair-wise unique material for the first station, wherein the pair-wise unique material is computed as a function of (i) a known shared secret associated with a piconet basic service set control point (PCP), (ii) a first piece of unique data associated with the first station, and (iii) a second piece of unique data associated with the second station; securely communicating the pair-wise unique material from the first station to the second station, wherein the first station and the second station independently authenticate with the PCP prior to communicating to establish a security association (SA) with the PCP, and wherein the known shared secret is a group transient key (GTK) of the PCP, wherein the first station and the second station are members of a group of stations associated with the PCP, wherein the PCP is an access point and the group of stations are peer devices that are not access points; communicating, by the first station, directly via peer-to-peer communications with the second station using the pair-wise unique material to secure the peer-to-peer communications; broadcasting, by the first station, a communication to the group of stations using at least the GTK from the PCP to secure the communication, wherein communicating directly and broadcasting includes communicating without messages transiting the PCP; and in response to a race condition associated with colliding messages of a four-way handshake between the first station and the second station, selectively resolving the race condition based on a media access control (MAC) address of the first station and a MAC address of the second station or another unique identifier of the first station and the second station. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus for computing a pair-wise transient key for a first station (Si) and a second station (Sj) of a piconent basic service set (PBSS), the apparatus comprising:
-
pair-wise key logic, including at least hardware, configured to compute a pair-wise transient key as a function of a GTKPCP that is a group transient key generated by a PBSS control point (PCP), a UniqueSI that is information unique to the first station (Si) and a UniqueSJ that is information unique to the second station (Sj); and pair-wise communication logic, including at least hardware, configured to securely communicate the pair-wise transient key between the first station and the second station, wherein the first station and the second station independently authenticate with the PCP prior to communicating to establish a security association (SA) with the PCP, wherein the first station and the second station are members of a group of stations associated with the PCP, wherein the PCP is an access point and the group of stations are peer devices that are not access points, wherein the pair-wise communication logic is configured to communicate directly via peer-to-peer communications with the second station using the pair-wise transient key to secure the peer-to-peer communications; group-wise communication logic configured to broadcast a communication to the group of stations using at least the group transient key from the PCP to secure the communication, wherein the pair wise communication logic and the group-wise communication logic are configured to communicate with stations in the group of stations without communicating via the PCP; and race logic configured to resolve a first message race condition associated with colliding four-way handshake attempts by the first station and the second station based on a media access control (MAC) address of the first station and a MAC address of the second station. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
pair-wise key logic, including at least hardware, configured to create pair-wise unique material for a first station, wherein the first station and a second station have previously established a security association (SA) with a topology control point (PCP), wherein the pair-wise unique material is computed as a function of (i) a known shared secret associated with the PCP, (ii) a first piece of unique data associated with the first station, and (iii) a second piece of unique data associated with the second station; pair-wise communication logic, including at least hardware, configured to securely communicate the pair-wise unique material from the first station to the second station, wherein the first station and the second station independently authenticate with the PCP prior to communicating to establish the SA, wherein the known shared secret is a group transient key (GTK) of the PCP, wherein the first station and the second station are members of a group of stations associated with the PCP, wherein the PCP is an access point and the group of stations are peer devices that are not access points, and wherein the pair-wise communication logic is configured to communicate directly via peer-to-peer communications with the second station using the pair-wise unique material to secure the peer-to-peer communications; group-wise communication logic configured to broadcast a communication to the group of stations using at least the group transient key from the PCP to secure the communication, wherein the pair wise communication logic and the group-wise communication logic are configured to communicate with stations in the group of stations without communicating via the PCP; and race logic configured to resolve a first message race condition associated with colliding four-way handshake attempts by the first station and the second station based on a media access control (MAC) address of the first station and a MAC address of the second station.
-
Specification